ILOVEYOU

ILOVEYOU
Picture of an email sent by the ILOVEYOU worm. The email has the subject "ILOVEYOU," a message of "Kindly check the attached love letter from me," and has an attachment LOVE-LETTER-FOR-YOU.TXT.vbs
Email with an infected attachment
Malware details
AliasesLove Bug, Loveletter
TypeComputer worm
OriginManila, Philippines
AuthorOnel de Guzman
Technical details
Platforms
Size10.31 kilobytes
Written inVBScript

ILOVEYOU, sometimes referred to as the Love Bug or Loveletter, was a computer worm that infected over ten million Windows personal computers beginning on 4 May 2000. It started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs".[1] Windows computers often hide the VBS file extension (a type of interpreted file) by default, because it is an extension for a file type that Windows knows, leading unwitting users to think it was a normal text file. Opening the attachment activated the VBScript script. First, the worm inflicted damage on the local machine, overwriting files (including image files; however, it hid MP3 files instead of deleting them). Then, it copied itself to all addresses in the Windows Address Book used by Microsoft Outlook, allowing it to spread faster than previous email worms.[2]

Onel de Guzman,[3] a 24-year-old computer science student at AMA Computer College[4] and resident of Manila, Philippines, created the malware. Because there were no laws in the Philippines against making malware at the time of its creation, the Philippine Congress enacted Republic Act No. 8792, otherwise known as the E-Commerce Law, in July 2000 to discourage future iterations of such activity. However, the Constitution of the Philippines prohibits ex post facto laws, and as such, de Guzman could not be prosecuted.[5]

Background

The ILOVEYOU worm was coded by Onel de Guzman, a student at AMA Computer College in the Philippines. At the time of its creation, de Guzman was poor and struggling to pay for the country's dial-up internet access.[4] De Guzman believed that internet access was a human right,[4] and submitted an undergraduate thesis to the college which proposed the development of a trojan to steal internet login details.[6] He reasoned that this would allow users to be able to afford an internet connection, arguing that those affected by it would experience no loss.[4] The proposal was rejected by the college, which remarked that his proposal was "illegal" and that "they did not produce burglars".[6] This led de Guzman to claim that his professors were closed-minded,[3] ultimately dropping out of the college to begin developing the worm.[7]

Architecture

De Guzman wrote ILOVEYOU in VBScript, and the Windows Script Host is utilized to run the code. ILOVEYOU was distributed through malicious email attachments. The worm was found in emails with the subject "ILOVEYOU" and a message of "Kindly check the attached love letter from me." The attachment LOVE-LETTER-FOR-YOU.TXT.vbs contained the worm.[8]

Upon opening the file, the worm copies itself into relevant directories so it will be run upon reboot of the computer. Two of the three copies masquerade as legitimate Microsoft Windows library files, named MSKernel32.vbs and Win32DLL.vbs. The other copy retains the original LOVE-LETTER-FOR-YOU.TXT.vbs name.[9]

The worm attempts to download a trojan horse named WIN-BUGSFIX.exe. To achieve this, the victim's Internet Explorer homepage is set to a URL that downloads the trojan upon opening the browser. If the download is successful, the trojan is set to run upon reboot and the Internet Explorer homepage is set to a blank page. The trojan fulfils de Guzman's primary aim by stealing passwords.[9]

The worm sends its trademark email to all contacts in the victim's address book. To prevent multiple emails being sent to one person from each successive run of the worm, a registry key is generated for each address book entry once an email has been sent. The worm will only send an email if the registry key is not present. This also allows for emails to be sent to new contacts placed in the address book. ILOVEYOU also has the capability to spread via Internet Relay Chat channels.[9]

The worm searches connected drives for files to modify. All VBScript files it finds (.vbs, .vbe) are overwritten with the worm's code. Files with extensions .jpg, .jpeg, .js, .jse, .css, .wsh, .sct, and .hta are replaced with copies of the worm that have the same base file name but appended with the .vbs extension. Copies for .mp2 and .mp3 files are similarly produced, but the original files are hidden instead of removed.[9]

Deceptive methods

ILOVEYOU is considered to be one of the first examples of malware using social engineering,[10] since its email encouraged potential victims to open the infected attachment under the pretext they had a lover who was attempting to contact them.[11] The worm's use of its previous victim's address book further incentivized recipients to comply, as emails appeared to come from close contacts.[12] The worm's subsequent success has resulted in the use of social engineering in many modern-day malware attacks.[10]

The attachment used a file name that took advantage of a feature of Microsoft Windows, "Hide extensions for known file types", where only the base file name would be displayed. As the file name was parsed from right to left, which would be stopped after the first period, to victims the attachment could appear to be an inconspicuous .txt file incapable of holding malware. The worm's real .vbs extension could be hidden.[12] De Guzman also claimed that a bug in Windows 95, where code in email attachments was automatically run upon being clicked, contributed to the worm's success.[4]

Variants

The use of VBScript in ILOVEYOU's coding allowed for easy modification to change the worm's behaviour. Over 25 variants of the ILOVEYOU worm have been recorded.[13] Variants exhibited a variety of behaviours that differed from the original worm, such as changing which file extensions were affected, modifying the email subject (sometimes to target a specific audience) and changing the worm's author credit.[13][14]

A notable variant of ILOVEYOU was NewLove, which was especially destructive since it targeted every file on the victim's hard drive until their computer stopped working[15] and evaded antivirus software.[15][16] Despite widespread coverage of this variant by media outlets, it failed to cause significant damage.[16]

Spread

Originally designing the worm to only work in Manila, de Guzman removed this geographic restriction out of curiosity, which allowed the worm to spread worldwide. De Guzman did not expect this worldwide spread.[4]

The worm originated in the Pandacan neighborhood of Manila in the Philippines on 4 May 2000,[17] thereafter moving westward through corporate email systems as employees began their workday that Friday morning – moving first to Hong Kong, then to Europe, and finally the United States.[18][19] Whole networks were compromised through a singular attachment access by any one user.[20]

Europe

In the United Kingdom, the worm reached the email servers of the House of Commons on 4 May.[6] The servers were shut down for two hours in response.[18] The worm affected the banking system of Belgium.[21]

United States

The worm affected most federal government agencies and caused disruption to multiple, including the Department of Justice, the Department of Labor and the Social Security Administration.[21] Operations of the Central Intelligence Agency[18] and the Department of Defense were significantly obstructed,[21] with the United States Army having 2,258 infected workstations that cost approximately US$79,200 to recover.[22] The Veterans Health Administration received 7,000,000 ILOVEYOU emails during the outbreak, requiring 240 man-hours of work to resolve the problems created.[21] Files at the National Aeronautics and Space Administration were damaged, and in some cases unrecoverable from backups.[21]

Investigations

Local internet service provider Sky Internet took down web pages delivering the WIN-BUGSFIX.exe trojan.[23] Further investigations by ISPs linked the malware to a phone line associated with an apartment belonging to de Guzman's sister.[24] De Guzman's mother warned him of the worm's public attention and his computer,[4][25] but left behind floppy disks containing malware that unintentionally implicated other students from AMA Computer College.[26] A police raid on 8 May 2000 led to the seizure of these disks and the arrest of De Guzman's sister's boyfriend.[24] Authorities initially presented him as the main suspect for the creation of the worm and sought to find De Guzman's sister, however released him a day later because of insufficient evidence.[27][28]

The Philippines' National Bureau of Investigation was unsure of what felonies could apply[29] since there were no specific laws against hacking in the Philippines at the time.[4] Ultimately, de Guzman was charged under the Access Device Regulation Act, a law designed mainly to penalize credit card fraud, and malicious mischief, a felony involving damage to property.[30] All charges against De Guzman were later dropped by prosecutors, since the evidence collected did not support what had been filed.[31][32]

2019 interview of de Guzman

De Guzman's last known public appearance was at a press conference on 11 May 2000, where he obscured his face and allowed his lawyer to answer most questions; his whereabouts remained mostly unknown afterward.[4] In April 2019, investigative journalist Geoff White visited the Quinta Market in Manila to look for de Guzman, following a tip off from an internet forum.[25] He discovered de Guzman working at a mobile phone repair stall in the market.[26] De Guzman admitted to creating and releasing the worm, and cleared all others who had been accused of co-authoring it.[4] White later published his findings in his cybercrime book, Crime Dot Com (2020).[4]

Aftermath

ILOVEYOU has repeatedly been named as one of the most destructive and virulent pieces of malware in history.[6][11][33] Within ten days of the first reported cases, over fifty million infections had been reported,[34] and it is estimated that 10% of Internet-connected computers in the world were eventually affected.[12] It is difficult to numerically quantify the damages caused by ILOVEYOU,[20] however estimates in the 2020s place this figure between US$10[6][35] to $15 billion.[12] These primarily consisted of the time and effort spent removing infection and recovering files from backups.

To address legislative deficiencies against computer hacking, in July 2000 the Philippine Congress enacted Republic Act No. 8792 (also known as the E-Commerce Law).[5][36] Since this law was passed after the worm's release, de Guzman could not be prosecuted retroactively under it.[6][36] De Guzman's actions received mixed reactions - some believed he had evaded justice; others viewed him as a hero and he was offered (but ultimately turned down) jobs at computer companies.[6][37]

Cultural impact

The events inspired the song "E-mail" on the Pet Shop Boys' UK top-ten album of 2002, Release.[38]

"I love you [rev.eng]" exhibited in July 2006 is a revamped and expanded version of an exhibition shown in June 2002 in the Museum for Applied Art in Frankfurt, in February 2003 at transmediale in Berlin, in August 2004 at the Watson Institute of the Brown University USA and in October 2004 at the Museum for Communication Copenhagen, Denmark.[39] In 2009, Kiat Kiat Projects curated an email exhibition entitled "How to Prevent Hair Loss" inspired by ILOVEYOU.[40][41]

The worm inspired the 2011 movie Subject: I Love You starring Jericho Rosales and Briana Evigan.[42] In 2019, The Persistence of Chaos, a laptop infected with six viruses including ILOVEYOU was sold at auction by Chinese artist Guo O Dong.[43] In November 2024, The Museum of Malware Art in Helsinki, Finland included a sculpture about ILOVEYOU.[44]

See also

References

  1. ^ Poulsen, Kevin (3 May 2010). "May 4, 2000: Tainted 'Love' Infects Computers". Wired. ISSN 1059-1028. Archived from the original on 28 July 2021. Retrieved 28 July 2021.
  2. ^ "What is the ILOVEYOU worm, what does it do, and how do I detect and remove it?". University Information Technology Services. 18 January 2018. Archived from the original on 28 July 2021. Retrieved 28 July 2021.
  3. ^ a b Landler, Mark (21 October 2000). "A Filipino Linked to 'Love Bug' Talks About His License to Hack". The New York Times. Archived from the original on 23 March 2010. Retrieved 5 May 2010.
  4. ^ a b c d e f g h i j k White, Geoff (12 September 2020). "The 20-Year Hunt for the Man Behind the Love Bug Virus". Wired. ISSN 1059-1028. Archived from the original on 15 September 2020. Retrieved 15 September 2020.
  5. ^ a b Caña, Paul John (4 May 2020). "Filipino Creator of the 'I Love You' Virus Just Did It So He Could Get Free Internet". Esquire Philippines. Archived from the original on 7 June 2020. Retrieved 19 January 2021.
  6. ^ a b c d e f g Griffiths, James (3 May 2020). "How a badly-coded computer virus caused billions in damage | CNN Business". CNN. Archived from the original on 27 July 2024. Retrieved 29 June 2024.
  7. ^ "Virus Charges Dropped". The New York Times. 6 September 2000. Archived from the original on 20 January 2025. Retrieved 4 January 2025.
  8. ^ Meek, James (5 May 2000). "Love bug virus creates worldwide chaos". The Guardian. ISSN 0261-3077. Retrieved 10 June 2024.
  9. ^ a b c d Bishop, Matt. (2000). Analysis of the ILOVEYOU Worm.
  10. ^ a b Speed, Richard (5 May 2020). "It has been 20 years since cybercrims woke up to social engineering with an intriguing little email titled 'ILOVEYOU'". The Register. Archived from the original on 10 June 2024. Retrieved 10 June 2024.
  11. ^ a b Poulsen, Kevin (3 May 2010). "Top Ten Most-Destructive Computer Viruses". Smithsonian Magazine. Archived from the original on 17 May 2014. Retrieved 10 June 2024.
  12. ^ a b c d Winder, Davey (4 May 2020). "This 20-Year-Old Virus Infected 50 Million Windows Computers In 10 Days: Why The ILOVEYOU Pandemic Matters In 2020". Forbes. Archived from the original on 24 October 2020. Retrieved 10 June 2024.
  13. ^ a b "I LOVE YOU Virus Help". Computer Hope. Archived from the original on 9 February 2013. Retrieved 11 February 2013.
  14. ^ "Symantec detects all known new variants of VBS.LoveLetter.A worm". Symantec. 6 May 2000. Archived from the original on 16 March 2014. Retrieved 8 February 2013.
  15. ^ a b Hopper, Ian; Lockridge, Rick; Young, Steve (19 May 2000). "New computer virus more destructive, but appears less infectious". CNN. Archived from the original on 3 June 2004. Retrieved 17 March 2026.
  16. ^ a b ""NewLove" warnings spread faster than virus itself". CNET. 19 May 2000. Retrieved 10 April 2026.{{cite web}}: CS1 maint: url-status (link)
  17. ^ "No excuse for virus toll, warns MessageLabs". MessageLabs. 10 May 2000. Archived from the original on 14 December 2000.
  18. ^ a b c Kane, Margaret (3 May 2000). "'ILOVEYOU' e-mail worm invades PCs". ZDNET. Archived from the original on 30 June 2024. Retrieved 29 June 2024.
  19. ^ "'Love bug' hacker is Pandacan man, 23". The Philippine Star. 6 May 2000. Archived from the original on 3 February 2014. Retrieved 23 August 2013.
  20. ^ a b Heiney, James (2023). "ILOVEYOU Virus Attacks Computers | Computer Science | Research Starters | EBSCO Research". EBSCO. Retrieved 14 March 2026.
  21. ^ a b c d e Brock Jr., Jack (18 May 2000). Critical Infrastructure Protection: "ILOVEYOU" Computer Virus Highlights Need for Improved Alert and Coordination Capabilities (PDF) (Report). United States General Accounting Office. Retrieved 30 June 2024.
  22. ^ "ILOVEYOU" Virus: Lessons Learned Report (Report). United States Army. 29 April 2003. Archived from the original on 13 June 2025. Retrieved 30 June 2024.
  23. ^ Festa, Paul (4 May 2000). "Philippine ISP cooperating with FBI in virus probe". CNET. Retrieved 28 April 2026.
  24. ^ a b "Love Bug Suspect Off The Hook". CBS News. 21 August 2000. Retrieved 14 March 2026.
  25. ^ a b White, Geoff (2 May 2020). "Love Bug's creator tracked down to repair shop in Manila". BBC News. Archived from the original on 3 May 2020. Retrieved 3 May 2020.
  26. ^ a b White, Geoff (21 April 2020). "Revealed: The man behind the first major computer virus pandemic". Computer Weekly. Archived from the original on 19 November 2024. Retrieved 3 May 2020.
  27. ^ "Suspect Freed; Lack of Evidence". WIRED. 9 May 2000. ISSN 1059-1028. Retrieved 28 April 2026.
  28. ^ Burke, Lynn (9 May 2000). "Still Searching for Worm Culprit". WIRED. ISSN 1059-1028. Retrieved 28 April 2026.
  29. ^ Gana Jr., Severino. "Prosecution Of Cyber Crimes Through Appropriate Cyber Legislation In The Republic Of The Philippines". Asia Crime Prevention Foundation. Archived from the original on 6 February 2008.
  30. ^ "Virus Suspect to Be Charged". Reuters. 15 June 2000. Retrieved 28 April 2026 – via The New York Times.
  31. ^ Arnold, Wayne (22 August 2000). "Technology; Philippines to Drop Charges on E-Mail Virus". The New York Times. Archived from the original on 9 February 2011. Retrieved 5 May 2010.
  32. ^ "Charges dropped against Love Bug suspect". CBC News. 21 August 2000. Retrieved 28 April 2026.
  33. ^ Byman, Cary (25 June 2025). "25 years ago: The ILOVEYOU worm". ITNOW. Vol. 67, no. 3. pp. 36–37. doi:10.1093/itnow/bwaf084. Retrieved 7 April 2026.
  34. ^ Barker, Gary (14 May 2000). "Microsoft May Have Been Target of Lovebug". The Age.
  35. ^ Kelly, Ross (5 May 2025). "'ILOVEYOU': The virus that rocked the world, 25 years on". TechRadar. Archived from the original on 5 January 2026. Retrieved 15 March 2026.
  36. ^ a b "Philippine Dropout to Be Charged for 'Love Bug'". Reuters. 15 June 2000. Retrieved 8 April 2026 – via The New York Times.
  37. ^ Wayne, Arnold (22 August 2000). "Philippines to Drop Charges on E-Mail Virus". The New York Times. Retrieved 8 April 2026.
  38. ^ Kuhn, Thomas (24 April 2020). "Iloveyou: Ein Liebesschwur mit Langzeitwirkung". Wirtschaftswoche (in German). Archived from the original on 23 February 2024. Retrieved 10 March 2026.
  39. ^ "I Love You [Rev.Eng] • Digicult | Digital Art, Design and Culture". Digicult | Digital Art, Design and Culture. 20 July 2006. Archived from the original on 15 December 2024. Retrieved 15 December 2024.
  40. ^ "How to Prevent Hair Loss, Kiat Kiat Projects - NECSUS". necsus-ejms.org. 11 December 2023. Archived from the original on 15 December 2024. Retrieved 15 December 2024.
  41. ^ "ArtAsiaPacific: Alternative Toolkits: Interview with Kiat Kiat Projects". ArtAsiaPacific. Archived from the original on 15 December 2024. Retrieved 15 December 2024.
  42. ^ "Premiere of Jericho Rosales' international film Subject: I Love You at Newport Beach Film Festival sold out". SPOT.PH. 3 May 2011. Archived from the original on 26 January 2025. Retrieved 15 December 2024.
  43. ^ Solly, Meilan. "A Laptop Infected With the World's Most Dangerous Viruses Sold for $1.3 Million". Smithsonian Magazine. Retrieved 15 December 2024.
  44. ^ "Art and cybersecurity collide at the Museum of Malware Art". Cybernews. 5 July 2024. Archived from the original on 3 November 2024. Retrieved 15 December 2024.
This article is issued from Wikipedia. The text is available under Creative Commons Attribution-Share Alike 4.0 unless otherwise noted. Additional terms may apply for the media files.